Set expiration date for existing access

lathasakthivel · March 19, 2025, 7:16pm

We have migrated from IIQ to ISC, and there are hundreds of access requests in IIQ with future sunset dates. During the migration, ISC did not capture these sunset dates. We attempted to submit bulk access requests to set the expiration dates, but this approach is not working since the users already have the access. I also tried submitting revoke access requests with expiration dates, but this only created identity events, not access requests. Is there another way to achieve this?

KRM7 · March 19, 2025, 10:24pm

We cannot set sunset on existing access, Unlike IIQ you cannot set in the backend, in IIQ we can just edit in debug page.

Best way is launch Access Reviews, Revoke access and resubmit the access request with sunset, better without any approvals as one time work.

lathasakthivel · March 20, 2025, 12:56am

Is there an option to do this through the API? I used the below API to revoke the access with remove date. Even that is not creating the access request

https://$tenant.api.identitynow.com/beta/access-requests

create-access-request | SailPoint Developer Community

KRM7 · March 20, 2025, 9:19am

Thank you, didn’t observe this feature. I tried to add sunset to the existing Role and it is working fine. You don’t see end date in UI, get this user in search and download the report with include Access Details, you can see Access Expiration date there in the excel file.

Below is the body I used,

{
    "requestedFor": [
        "16dhjsef7skedjhew73ioo8909000"
    ],
    "requestType": "REVOKE_ACCESS",
    "requestedItems": [
        {
            "type": "ROLE",
            "id": "85555wefsdfeirfkdkmfvgjkeriieie",
            "comment": "testing",
            "clientMetadata": null,
            "removeDate": "2025-03-25T21:23:15.000Z"
        }
    ],
    "clientMetadata": null
}

Form the docs

REVOKE_ACCESS

Can only be requested for a single identity at a time.
You cannot use an access request to revoke access from an identity if that access has been granted by role membership or by birthright provisioning.
Does not support self request. Only manager can request to revoke access for their directly managed employees.
If a removeDate is specified, then the access will be removed on that date and time only for roles, access profiles and entitlements.
Roles, access profiles, and entitlements can be requested for revocation.
Revoke requests for entitlements are limited to 1 entitlement per access request currently.
You can specify a removeDate if the access doesn’t already have a sunset date. The removeDate must be a future date, in the UTC timezone.
Allows a manager to request to revoke access for direct employees. A user with ORG_ADMIN authority can also request to revoke access from anyone.

lathasakthivel · March 20, 2025, 6:16pm

with revoke_access, I tried to set expiration date as future. It created the identity event. But the access was not revoked on the expiration date.

Note: The entitlement doesn’t tag with any role.
And I own the ORG_ADMIN authority

KRM7 · March 24, 2025, 2:33pm

I updated end date for existing Role and it is removed successfully.

system · May 23, 2025, 2:33pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.